Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:kernel-2.6.32
rubygem-actionpack-2_1
rubygem-actionpack-2.1.2_timing_weakness.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File rubygem-actionpack-2.1.2_timing_weakness.patch of Package rubygem-actionpack-2_1
From 674f780d59a5a7ec0301755d43a7b277a3ad2978 Mon Sep 17 00:00:00 2001 From: Michael Koziarski <michael@koziarski.com> Date: Sun, 23 Aug 2009 17:26:46 +1200 Subject: [PATCH] Fix timing attack vulnerability in the Cookie Store Use a constant-time comparison algorithm to compare the candidate HMAC with the calculated HMAC to prevent leaking information about the calculated HMAC --- .../lib/action_controller/session/cookie_store.rb | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) Index: lib/action_controller/session/cookie_store.rb =================================================================== --- lib/action_controller/session/cookie_store.rb.orig 1970-01-01 01:00:00.000000000 +0100 +++ lib/action_controller/session/cookie_store.rb 2009-09-16 15:04:36.743029435 +0200 @@ -139,7 +139,7 @@ class CGI::Session::CookieStore data, digest = cookie.split('--') # Do two checks to transparently support old double-escaped data. - unless digest == generate_digest(data) || digest == generate_digest(data = CGI.unescape(data)) + unless secure_compare(digest, generate_digest(data)) || secure_compare(digest, generate_digest(data = CGI.unescape(data))) delete raise TamperedWithCookie end @@ -163,4 +163,17 @@ class CGI::Session::CookieStore def clear_old_cookie_value @session.cgi.cookies[@cookie_options['name']].clear end + + # constant-time comparison algorithm to prevent timing attacks + def secure_compare(a, b) + if a.length == b.length + result = 0 + for i in 0..(a.length - 1) + result |= a[i] ^ b[i] + end + result == 0 + else + false + end + end end
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor